Vodafone says the risk of using Huawei equipment in telecoms infrastructure is so low that a ban on its use would be entirely disproportionate and would delay the rollout of 5G in the UK significantly.
Several countries have expressed concerns about the security of Huawei kit, most notably the US where the company is effectively frozen out of the market, while the UK government is currently conducting a review.
One of the acquisitions levied against Huawei is that it installs backdoors for foreign states to conduct espionage or to shut down critical infrastructure.
Huawei has repeatedly denied the accusations, while there is little appetite for a ban among mobile operators who fear costs would rise and innovation would decrease. All four major UK operators are Huawei customers, including Vodafone.
Speaking to journalists in London, Vodafone UK CTO Scott Petty said the company works closely with the National Cyber Security Centre (NCSC) to assess the potential risk of Huawei gear to its network and found the threat to its radio and transport networks to be low to medium. Meanwhile, Vodafone doesn’t use Chinese vendors in its core network, which is deemed to be the highest risk.
“With the radio network, the risk is low because an attack on a base station isn’t effective [to steal data]. There are too many base stations and too many people who move around. Equally, it’s low risk from an infrastructure perspective as you could switch off one base station and although it would be inconvenient for a few users, we have 18,000 base stations.
“The effort to launch an attack on a base station is not worth the reward. It’d be easier to hack your phone.”
Vodafone uses Huawei kit in a third of its base stations, with the remainder powered by Ericsson and Nokia (although the latter is being phased out).
“The reason we have multiple vendors is to give us incremental layers of protection. If you wanted to take down our RAN, you’d need to take down both Ericsson and Huawei.”
This multi-vendor approach is applied across all layers of Vodafone’s network, helping to boost security, but also driving innovation and increasing commercial leverage. Huawei isn’t used in Vodafone’s transport layer because it believes using the same vendors as its radio layer would reduce this buffer. Instead it has opted for Nokia, Juniper and Cisco.
Meanwhile, Vodafone uses Cisco for its core network – by far and away the most sensitive and high risk part of the network because of the data that is stored there. With 5G, the risk becomes greater because edge computing distributes various functions around the network, opening up more attack surfaces.
“We felt that this was the right decision to make [even though] Huawei is a strong vendor,” explained Petty. “However, we felt based on the risk profile in the UK, we’d be better off making that call.
“If you got into the core network, you’d control the entire network. Last year, O2 had an outage caused by an expired certificate and it took down their entire network.
“Using Huawei in the core network would open us up to a risk that would be unmanageable.”
The UK government’s review is expected to be published next month, with recent reports suggesting that there will be no outright ban on the use of Huawei gear. Instead, it is likely that operators will be limited to using Huawei equipment for half of their infrastructure.
This would suit Vodafone, which believes a multi-vendor approach is “just good supply chain management” and that the removal of a player in the market would limit competition. If a ban was applied retrospectively, then the rollout of 5G could be delayed. These warnings have been echoed by major industry players such as ARM.
“If we were forced to remove Huawei kit from 32 per cent of our base stations, the cost would be hundreds of millions of pounds and it would delay 5G considerably as we would have to refresh our 4G infrastructure before rolling out 5G.”
“We’ve seen no evidence of backdoors and no one has provided any that suggestion that [a ban] would be a proportionate response,” added Helen Lamprell, General Counsel & External Affairs Director at Vodafone UK. “If there’s evidence of [wrongdoing] we’d love to see it. As Nick Read [Vodafone Group CEO] said at Mobile World Congress, if the US has evidence, we’d like to see it.”
Vodafone believes the UK approach to managing risk is the way to go and wants monitoring and testing to be conducted at an international level – for all vendors – to create consistent rules and guidance to follow
“I think the UK has led the world in this model,” said Petty. “The NCSC has dispensed great advice and allowed the UK to be in a much better place than other parts of the world.
“There’s no evidence [of a backdoor]. Any questions that have been raised have been about software quality.
“We are all exposed to gaps in our vendor software engineering capabilities … as a mobile operator you have to assume anything is insecure because there could be mistakes.
“We have to use somebody and that’s why we carry out risk assessments.”